The long-awaited Chinese standard contractual clauses and SCC Regulations were finally released by the Cyberspace Administration of China Feb. 24, effective June 1. This indicates that all three major legal mechanisms under China's Personal Information Protection Law, namely CAC-led security assessment, certification by licensed professional institutions, and Chinese SCCs, are all fully established with the necessary details for implementation. Application scope According to the SCC Regulation... Read More

China’s new Personal Information Protection Law takes effect today, Nov. 1, just over two months after its adoption, with companies seeking to figure out how to best comply and regulators working to answer remaining questions. The Standing Committee of the National People’s Congress passed the law in August to “protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.” The law includes pro... Read More

China’s rise on the global stage has manifested itself in many ways, and it should be no surprise that China has gained prominence in terms of its privacy and security legislation. In recent years, major pieces of legislation have been promulgated: the 2017 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Information Protection Law. One common area of interest arising from those three laws, especially for organizations, is how cross-border data transfers will be addressed and... Read More

On Nov. 1, 2021, China’s Personal Information Protection Law took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with areas of the PIPL. Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data t... Read More

On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant to Article 38 of China’s Personal Information Protection Law, under which the government-approved standard contract is one of the lawful transfer mechanisms available that a personal information proce... Read More

The Personal Information Protection Law is the first law dedicated to protecting personal information in China, provides comprehensive penalty and enforcement mechanisms, including administrative penalties, private actions, public interest actions (China’s equivalent of class actions), public security administration, and criminal penalties. Every individual or organization that acts as a data handler, including state organizations as stipulated in Article 33, will be subject to the enforcement o... Read More

China's Personal Information Protection Law has been in effect since Nov. 1, 2021, but privacy professionals and organizations are still trying to fully grasp the law's key provisions and nuances. In this third article in a five-part series exploring the top 5 operational impacts of the PIPL, Xiaomi Head of Security and Privacy Compliance Wenkuan Song analyzes the law's personal information protection officer requirement with a look into which companies need to appoint an officer, general respon... Read More

China's Personal Information Protection Law has been in effect since Nov. 1, 2021, but privacy professionals and organizations are still trying to fully grasp the law's key provisions and nuances. In the second of a series exploring the top-5 operational impacts of the PIPL, Rui Bai Law Firm Head of Corporate Xiaobei Li analyzed the law's legal obligations on businesses in relation to the collection, processing, provision, transfer, deletion and destruction of personal data.Full Story... Read More

In this five-part series, we examine several facets of the Personal Information Protection Law of the People’s Republic of China, which came into force Nov. 1, after two rounds of public consultation. The drafting of the PIPL was heavily influenced by the EU General Data Protection Regulation, and follows GDPR closely in many areas. However, it has distinct features, scope and exclusions that global companies need to understand. A key threshold distinction between the GDPR and the PIPL relates... Read More

South China Morning Post reports China's Ministry of Industry and Information Technology ordered 106 mobile applications to be removed from app stores over violations of the Personal Information Protection Law and Data Security Law. Following investigation and prior scrutiny, the MIIT found the companies hadn't come into compliance with data collection requirements under the law. According to Reuters, Russia banned privacy-focused browser Tor following allegations that it was enabling access ... Read More

The Cyberspace Administration of China released draft regulations for its data security laws, including the Personal Information Protection Law and others, Bloomberg reports. The draft regulations hone in on four categories of data, including personal information, while clarifying how businesses are covered and what is required of them under specific laws. Also addressed in the regulations are provisions around extraterritorial scope, cross-border data transfers, data breach notification require... Read More

The People's Bank of China will begin taking action against financial technology companies collecting and using personal data, the South China Morning Post reports. In an 8-minute keynote speech for Hong Kong's 2021 FinTech Week, the central bank's Governor Yi Gang said making stronger data protection is "an urgent matter" in light of companies collecting and leaking personal data. "We are cracking down on excessive collection of consumer data, and unfair practices that require customers to hand... Read More

The People’s Republic of China broke new ground by announcing draft regulations on the widespread use of algorithmic recommendation technology. The regulations are, according to one expert, the first of their kind globally. And because China will soon exceed one billion internet users — roughly 20% of global internet users — these regulations will cover nearly one in five users on earth. The Internet Information Service Algorithmic Recommendation Management Provisions were released after passag... Read More

As explained in our previous post, China enacted its first fundamental law in cyberspace, the Cybersecurity Law, in 2016. Five years later, in 2021, China followed up with two more pieces of landmark legislation in this space: the Data Security Law and the Personal Information Protection Law. Taken as a whole, these three laws form an overarching framework that will govern data security, data protection and cybersecurity in China for years to come. Under the framework established by these three... Read More

On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law, which will take effect Nov. 1, 2021. Serving as China’s first comprehensive law in the personal information protection area and based on China’s Constitution, the PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1). From a broad... Read More

The top legislative body in the People's Republic of China voted Friday to adopt a new national privacy law. The Standing Committee of the National People's Congress passed the Personal Information Protection Law at a meeting in Beijing, according to the nation's state-operated Xinhua News Agency. The sweeping law will take effect Nov. 1. With the move, the PRC joins three of the world's top four economies with an omnibus privacy law, leaving the U.S. as the only nation in the top four without ... Read More

China's Ministry of Industry and Information Technology issued guidelines for the construction of a security standard system for the Internet of Things. The guidance seeks to outline a framework that will promote public network security risk mitigation and prevention, along with development and implementation of standards for the IoT. Software security, access authentication and data security are among the standard requirements listed by MIIT.Full Story... Read More

Shanghai City is setting up a data exchange to improve efficiency in manufacturing, Reuters reports. Vice Mayor Wu Qing said the city would encourage companies to share some data and improve data regulations. China recently passed its Personal Information Protection Law, which will be implemented 1 Nov. Editor’s note: IAPP Editorial Director Jedidiah Bracy, CIPP, reported details on PIPL’s enactment.Full Story... Read More

The Cyberspace Administration of China released a draft of its "Internet Information Service Algorithm Recommendation Management Regulations." The regulations are meant to cover the use of "algorithmic recommendation technology" to provide information services within China. Violations could result in fines ranging from 5,000 to 30,000 yuan. The CAC is accepting public comments on the draft regulation until Sept. 26.Full Story... Read More

The Standing Committee of the Shenzhen Municipal People's Congress passed China's first local data law. The "Shenzhen Special Economic Zone Data Regulations" would prohibit applications from restricting services to users who do not agree to data access agreements. Violations of the law could result fines upwards of 50 million yuan. The law will go into effect 1 Jan.Full Story... Read More

Until now, China’s data localization and cross-border data transfer requirements were not laid out in one piece of legislation but could be found scattered in the Cybersecurity Law and its draft implementing regulations, as well as in various sectoral regulations, which contain specific requirements applicable to data processed by entities in specific sectors.    With the June 10 enactment of the Data Security Law that will take effect Sept. 1 and the upcoming Personal Information Protection La... Read More

The People’s Bank of China is working to relieve privacy concerns associated with the nation’s digital currency, saying “controllable anonymity” was a key feature in its design, China Macro Economy reports. Research has shown mobile users are worried about having to share too much personal information, while private businesses do not trust the anonymity of payments. “Establishing both proper identification and privacy in the payment system is key,” Bank of International Settlements Head of Resea... Read More

The South China Morning Post reports the Chinese government published new standards for the collection of personal data, specifically defining "necessary" data collection. The definition varies based on the application and its service, but the regulation, which takes effect May 1, curbs app providers from collecting a broad range of data under a bundled consent model. Notably, the regulation will cover 39 categories of apps in some fashion.Full Story... Read More

The Civil Code of the People's Republic of China went into effect 1 Jan., China Daily reports. The code prohibits organizations from sending spam messages via text messages, phone calls and emails, as well as various surveillance activities. "It's the first time that a law defines what privacy is," Haidian District People's Court Judge Chen Changyi said. "In the past it was too vague, and that often gave us difficulties in case hearings and rulings."Full Story... Read More

On Oct. 21, 2020, the Standing Committee of the National People’s Congress of China released the draft Personal Information Protection Law to solicit public opinions. Many rules of the draft PIPL appear to be similar to those of the EU General Data Protection Regulation, including its territorial applicability.  At first glance, the territorial applicability provisions of the draft PIPL bear some resemblance to those of the GDPR. However, after taking a closer look at the wording of both laws, ... Read More

The Beijing Internet Court ruled against Tencent Holdings and ByteDance, owner of Douyin and TikTok, in cases alleging misuse of user data, the South China Morning Post reports. Plaintiffs argued Tencent violated users’ privacy by sharing data between the WeRead and WeChat apps. Tencent was ordered to stop sharing the data and pay 6,600 yuan. In a case against Douyin over “people you may know” recommendations, the company was ordered to delete the users’ information and pay 5,231 yuan.Full Story... Read More

Twenty separate federal lawsuits filed over the past year on behalf of TikTok users in California and Illinois have been merged into one legal action in federal court, NPR reports. Through their parents, dozens of minors allege that TikTok collects information about their facial characteristics, locations and close contacts and sends that information to China. In a ruling Tuesday, federal judges said the case will be based in the U.S. District Court for the Northern District of Illinois.Full Sto... Read More

China has finally released its own version of the U.S. Children's Online Privacy Protection Act. On Aug. 23, the Cyberspace Administration of China released the final version of the "Measures on Online Protection of Children’s Personal Data," which will come into force Oct. 1. The measures provide further clarity on how to protect children’s personal data online under the framework of China's Cyber Security Law. Not only do the measures have a broader application compared to its counterpart in ... Read More